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Abstract 

We tackle the issue of representing infinite sets of real- 
valued vectors. This paper introduces an operator for com- 
bining integer and real sets. Using this operator, we decom- 
pose three well-known logics extending Presburger with re- 
als. Our decomposition splits a logic into two parts : one 
integer, and one decimal (i.e. on the interval [0, \ [). We also 
give a basis for an implementation of our representation. 



1 Introduction 

Verification (and model-checking in particular) of 
infinite systems like timed automata [1] (and hybrid 
systems) and counter systems |5| need good symbolic 
representation classes ; by good, we mean having closure 
properties (by first-order logic operators) and decidability 
results (for testing inclusion and emptiness). Presburger 
arithmetic I27][23l enjoys such good properties, and some 
efficient implementations (using finite automata) have 
been intensively used for the analysis of counter systems 

Despite the fact that the complete arithmetic on reals 
is decidable |[28l . only some restricted classes of the first- 
order additive logic of reals (DBM, CPDBM, finite unions 
of convex polyhedra) have been used for the analysis of 
timed automata. This is mainly due to the fact that the 
algorithmic complexity of DBM is polynomial, which 
is the basis of efficient verification algorithms for timed 
automata in UppAal inni25l . 

However, we would like to be able to use both integers 
and reals, for at least two reasons. First, we want to analyse 
timed counter systems |l2] [3] |T3l in which the reachability 
sets contain vectors with both integers and reals. Second, 



we want to be able to use integers as parameters for a 
concise representation of pure reals : for instance, reals are 
used for the values of clocks and integers for expressing the 
parameters in CPDBM. 

Fortunately, the first-order additive logic over integers 
and reals is decidable. Nevertheless, the algorithmic of 
sets combining integers and reals does not seem simple, 
even when it is based on finite automata like Real Vector 
Automata lfT3l[T6l or weak RVA fS], or based on quantifier 
elimination ll29l. 
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For that matter, the algorithmic of Presburger (using 
finite automata) and variations of DBM are quite efficient. 
Hence, our idea is to reduce the algorithmic difficulty of the 
first-order additive logic of integers and reals (and of some 
subclasses and decidable extensions) by decomposing a 
complex set of integers and reals into a finite union of 
sums of integer sets and decimal sets. By decimal, we 
mean numbers in the dense inteval [0, 1[ ; then, we define 
a new class of sets as follows. Given n sets of integers 
{Zi)o<i<:n and n sets of decimals (-Di)o<i<ri, we introduce 
the operator finite union of sums, which builds the finite 
unions of the sums Zi + Dt. This class is shown stable 
under boolean operations, cartesian product, quantification 
and reordering if both of the two initial classes are also 
stable. 

One of our aims is then to re-use, in combining the 
best representations of these two initial sets (.^i)o<i<n 
and (I3i)o<i<n, the best libraries dealing with them to 
efficiently handle finite unions of [Zi + Di)o<i<n (for 
instance : PresTAF Q for the integers and PPL |4] for 
the reals). 

We show that three of the main classes of mixed integer 
and real sets are in fact finite unions of sums of well-known 
classes. We prove that finite unions of sums of Presburger 
set of integers, and sets definable in the first-order additive 
logic of decimals are exactly the sets definable in the 



1 



first-order logic of integers and reals. The finite unions 
of CPDBM are expressible as the finite unions of sums of 
Presburger-definable sets and DBM-definable decimal sets. 
Moreover, when we go beyond Presburger by considering 
RVA, we show that the class of sets representable by 
RVA in basis b is the finite unions of sums of Presburger 
extended with a predicate Vb (which gives integer powers 
in base b) and the additive logic of decimals extended with 
a predicate Wb (which, similarity to Vb, gives negative 
powers in base 6). 



2 Representations mixing integers and reals 

In this section, we motivate our work with a small 
example of timed automaton. We show that extracting 
integers from reals can yield more concise formula than 
pure reals. Then we introduce an operator combining 
integer and real sets of vectors. 



2.1 Timed Automata and DBM 

In order to study real-life systems involving behaviours 
that depend on time elapsing, timed automata are probably 
the most used and well-known model for such systems. 
As described in UJ, the basic idea of timed automata is to 
add real-valued variables (called clocks) to finite automata. 
These clocks model temporal behaviours of the system, 
flowing at a universal constant rate ; each clock can be com- 
pared to an integer constant, and possibly reset to 0. The 
only other guard allowed is called a diagonal constraint, 
consisting in comparing the difference of two clocks to 
an integer constant. As the clocks' values are unbounded, 
the state-space generated by a timed automaton is infinite ; 
therefore, regions are used to model a finite abstraction 
of the system's behaviour Practically intractable because 
of its size, the region graph is then implemented as zones 
in most verification tools ifTTl l25l [TSl l24l modelling such 
real-time systems. 

Technically, zones are represented by Difference Bound 
Matrices (DBM) |[12]|21] in fliese tools. A DBM is a square 
matrix representing the constraints between n clocks defin- 
ing a zone. Here, we see a DBM as a tuple (c, -<), where 

C = (Ci,i)o<jj<ri, -< = i-<i,j)o<i,j<n, Cij £ Z U { + Oo}, 

and {<, <}. Each element of this tuple is an element 

of the square matrix, defining a DBM set as follows : 



-< 



where 



, r, are 



{re 



A 

0<2,j<n 



In order to deal with constraints involving only one clock, 
the fictive clock tq is always set to the value 0. An element 



{cij, -<i,j) means that - 
clocks. Thus, each element of a DBM represents a diagonal 
constraint (i.e. a bounded difference). Finally, terms that 
do not represent any actual constraint are symbolized by 



2.2 About extensions of DBM 

On the following example taken from ||9], die timed au- 
tomaton features 2 clocks x and y, and a unique location. 
The automaton's behaviour is very simple : y is reset to as 
soon as it reaches 1, while x flows continually. In the initial 
state, the clocks are both set to 0. Moreover, an invariant in 
the location ensures that y never exceeds 1. 




(2/<l) 



The clock diagram associated to the automaton ex- 
plicitely shows this behaviour : 
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A classical forward analysis |17| is considered here, 
by computing the reachable states (i.e. location x 
clock values) from the initial one (where x = y = 0). 
Then, we build the corresponding zones, each zone being 
represented by a DBM ; here, we have an infinite yet count- 
able set of DBM as follows. Note that in this example ^ is 
always < ; therefore, we will omit it in the matrices. 




j>0 

In order to make the state-space computable, abstraction 
techniques are used to get a finite number of zones. The 
abstraction being used in most model-checkers is based on 
maximum constants ; a clock c's valuation is considered 
equal to oo as soon as it exceeds the maximal constant to 
which c is ever compared. On the example, if a guarded 
transition x > 10^ leads to another state, then the clock 
diagram becomes as follows : 
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More formally, this abstraction yields the following set 
ofDBM: 
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y 
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oo 
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-10^ 






0<i<10'5 

This set of DBM is finite, but remains huge : 10^ + 2 
matrices need to be computed and memorized, which 
seems exaggerated, a fortiori for such a simple example. In 
||9l , a more elaborate abstraction is proposed : the clocks' 
maximal constants are no more global to the system, 
but location-dependent. Another abstraction technique 
is proposed in |10|, distinguishing between upper and 
lower bounds within maximal constants. To the best of 
our knowledge, these are the only zone-based abstraction 
techniques ; in each of them, the number of DBM still 
heavily depends on maximal constants. 

Writing here such an infinite or huge number of DBM 
would have been impossible ; therefore, we naturally used a 
parametric representation of these DBM. Actually, this idea 
is also used by Constrained Parametric DBM (CPDBM) 
||2j, which is the data structure implemented in the TReX 
Ul model-checker CPDBM are indeed a more expressive 
version of DBM, extended in two steps. First, we consider 
PDBM, in which Cij constants become ti,j arithmetical 
terms (the parameters). Such arithmetical terms t are given 
by the grammar t ::= Q\l\x\t — t\t + t\ t*t, 
where x belongs to a set X of real variables. Second, a 
PDBM becomes a CPDBM as terms are constrained by 
quantifier-free first-order formulas <j>. Such formulas are 
defined by <j> ::= t < t \ ^4> | ^ V </) | Is_int{t) (where the 
predicate Is_int(t) is true iff t is an integer). Each of the 
two sets of matrices hereinabove is in fact a single CPDBM. 

Consider now another way to represent the set of reach- 
able clock values. On the second diagram showing the ab- 
straction, we can see an obvious regular pattern along x, 
defined by three shapes : v^:, \A, and I . We define 
each shape as follows : {{x,y) G [0,1]^ \ x ^ y}, 

■A={{x,y) G [0,l]2|x>y},andB={(x,y) G [0, l]^}. 
If we want to represent the same set as the previous ab- 
stracted zones, but without DBM, we can express the peri- 
odicity of each pattern with integers. To formalize it, taking 



the union of the following three sums suffices : 
({0,...,106-1} X {0}+/^) 



U({10«}x{0}+iJ^ 
U({10' + l,---,oo} X {0}+H) 



This latter symbolic representation of such a reachabil- 
ity set is much smaller than DBM. Indeed, representing 
zones with DBM implies memorizing a possibly huge 
number of matrices, depending on the maximal constant 
for the clocks (one million, in this example). However, by 
introducing integers to express periodicity, we can reduce 
the representation to three small combinations of intervals. 
Moreover, we can even get rid of the abstraction, so as 
to get an exact representation for the same cost. CPDBM 
also have these advantages, but are undecidable because 
of the multiplication. Hence, let us specify a little more 
what is our representation : we take finite unions of reals, 
real numbers being decomposed as sums of integers and 
smaller reals (called decimals). These integers and reals 
can be defined using quantification, addition, and boolean 
operators. 

Actually, our approach comes down to representing sets 
of real numbers by extracting their integer components ; 
the interesting point is that adding integers to real sets can 
simplify their representation and ease their handling. One 
might think that adding integers to such a first-order real 
logic would make it undecidable, but section |3] proves the 
opposite. Before that, we need to formalize our representa- 
tion. 



2.3 Composing integers and reals 

Notations. The set [0, 1[ is denoted by D in the sequel. 
We also call a decimal (number) any rf G D, and a 
decimal set any Z? C D. We write x to denote a vector 
(xi, . . . , Xn)- Sometimes, in order to be concise, we use 
FO (...) to denote the sets represented by this first-order 
logic. However, it does not make our statements incorrect, 
because we mostly discuss the expressive power of such 
logics. 

Let 3 C P(Z") and D C P(D") ; we will assume in 
this paper that we are using dimensional vectors, with 

ri G N. We denote bjQ 3 W S the class of real vectors 

p 

R C R" s.t. R = \J{Zi + Di), with {Zi,Di) G 3 x S) 

i=l 



' The symbol l±l is sometimes used for the disjoint union, but we do not 
use such unions in this paper. 
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and p > 1. 

Here are some examples of simple sets that might be of- 
ten used, written as finite unions of sums of integers and 
decimals : 

Example 1. The empty set is written + 0. The set R" is 
written Z" + D". The set Z" is written Z" + {0}. 

Example 2. The set R= = {r G | ri = is written 

{z G Z2 I zi = Z2} + {d G D2 I di = da} 

Example 3. The set R< = {r G | ri < ra} is written : 

{z G Z^ I zi < Z2} + {d G I di < da} 
|J{z G Z^ I zi < Z2} + {d G I di > da} 

Example 4. The set i?+ = {r G R'^ | ri + ra = r^} is 
written Ucg{o,i}"l^ G Z^ | zi + za + c = Z3} + {d G 
D'^ I di + da = da + c}, where c denotes a carry. 

The limits of our representation can be seen with 
the following counter-example. Consider the set 

00 f 1 1 

R = [J (^{j} + I . ^ ^ I ^ ; note that we use j + I 

(and not simply j) to avoid the case where the decimal part 
is J = 1 for j = 1 (because it would not be a decimal, 
i.e. in [0, Our representation can not deal with such 
a set ; indeed, despite the fact that it is a union of sums 
of integers and decimals, we can see that the union is 
inherently infinite. We insist on the finiteness of the union 
in our representation, mainly for implementability reasons ; 
this will be discussed in section|5] 

Now, let us consider the stability of our representation. 
Weprov^thatif 3 C [j^^^ P(Z") and 2) C U.^^ P(D") 
are stable by the classical first order operations then the 
class 3 W S - UnGN 3" ttl D„ where 3„ = 3 n P(Z") 
and Tin = S) H P(D") is also stable by these operations. 
The operations we consider are : boolean combinations 
(union, intersection, difference), cartesian product, quan- 
tification, and reordering. We use the following defini- 
tions for these last two operations. First, quantification is 
done by projecting away variables from the considered vec- 
tor : Vi? C R», 3,R = {(ri,...,r,_i,r,+i,...,r„) | 
Bn (ri, . . . ,ri_i,ri,r,;+i, . . . ,r„) G R}. Second, a re- 
ordering is a mere permutation function tt of the variables 
order in a vector : Vi? C R", nR = {(?'7r(i), • • ■ , ?'7r(n)) | 
(ri, . . . , r„) G R}. Then, we introduce a generic definition 
for stability : 

^Here we have to take unions, depending on tlie number of dimensions, 
for a technical purpose : the projection of a component in the vector. 



Definition 5. A class C UneN ^(IR") « stable if it is 
closed under boolean operations, cartesian product, quan- 
tification, and reordering. 

Notice that taking the union of two such sets is trivial, as 
they are akeady unions of integer and decimal parts. Then, 
observethat(Zi+i:>i)n(Za+i:'a) = [Zir\Z2) + {Dir\D2) 
for any Zi,Za C Z" and for any Di,D2 C D" ; thus, 
the stability by union of 3n W 2Dn provides the stability by 
intersection. From the equality {Zi + Di)\(Za + D2) = 
((Zi\Za) + Di){j{Zi + {Di\D2)) we get the stability by 
difference. The stability by cartesian product is provided by 
(Zi + Di) X (Za + D2) = (Zi X Z2) + {Di X D2). The 
stability by projection comes from 3iR = {3iZ) + {3iD), 
where R = Z + D. Finally, the stability by reordering is 
obtained thanks to t:{Z + D) = {■nZ) + (ttD). We have 
proved the following proposition, which is later used in the 
proofs of theorem|7]and propositionfTOl: 

Proposition 6 (Stabihty). The class 3 W D w stable ifi and 
D are stable. 

3 First-order additive logic over integers and 
reals 

Using at the same time integers and reals in the whole 
arithmetic is known to be undecidable. However, when 
multiplication is left apart, the first-order additive logic is 
decidable ; its decidability has been suggested by Biichi, 
then proved by |16| with automata and by ||29il using 
quantifier elimination. Actually, it can be seen as the 
Presburger logic IfZTl extended to the reals. This first- 
order logic FO (R, Z, +, <) can encode complex linear con- 
straints combining both integral and real variables. In this 
section we prove that sets definable in this logic can be de- 
composed into finite unions of Z + R where Z is defin- 
able in FO (Z, +, <) and R is definable in FO (D, +, <). 
This result proves that complex linear constraints combin- 
ing integral and real variables can be decomposed into lin- 
ear constraints over integers, and linear constraints over re- 
als. More precisely, we prove the following decomposition : 

Theorem 7. ro(R,Z,+,<) = FO{Z,+,<) W 
FO{D,+,<). 

Proof. First of all, observe that any set definable in the 
logic FO (Z, +, <) W FO (D, +, <) is also definable in 
FO (R, Z, +, <). Conversely, the sets R and Z, the func- 
tion + : R X R ^ R and the predicate < are definable 
in FO (Z, +, <) y FO (D, +, <) from examples [U El H H 
Thus, stability by first order operations provides the inclu- 
sion FO (R, Z, +, <) C FO (Z, +, <) W FO (D, +, <). We 
deduce the equality. □ 
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Now, let us recall that sets definable in the Presburger 
logic FO(Z,+,<) can be characterized thanks to linear 
sets 1231 . In fact, a set Z C Z" is definable in this logic if 
and only if it is equal to a finite union of linear sets b + P* 
where b S Z", P is a finite subset of Z", and P* denotes 
the set of finite sums X^iLiP* ^i*-^ Pi, ■ ■ ■ ,Pk G P and 
fc e N. This geometrical characterization can be extended 
to the class of sets definable in FO (Z, +, <) WFO (D, +, <) 
by introducing the class of polyhedral convex sets. A set 
C C R" is said polyhedral convex if C is defined by a fi- 
nite conjunction of formulas (a,x) -< c where a S Z", 
{<, <} and c G Z. Recall that a Fourier-Motzkin quan- 
tification elimination proves that a set C C R" is definable 
in FO (R, + , <) if and only if it is equal to a finite union of 
polyhedral convex sets. In |22|, the authors have proved the 
following geometrical characterization : 
A set i? C R" is definable in FO (R, Z, + , <) if and only if 
it is equal to a finite union of sets of the form C + P* where 
C C R" is a polyhedral convex set and P is a finite subset 
o/Z". 

3.1 Decomposing DBM-based representations 

In this section, we characterize an extension of DBM. We 
denote by IJ DBMd the finite unions of DBM sets which are 
included in D". Notice that IJ DBMd is stable by first order 
operations, thanks to a Fourier-Motzkin quantifier elimina- 
tion. 

A CP-DBMl is a DBM where the vector c is no longer a 
constant, but a vector of parameters constrained by a for- 
mula 0(c) defined in a logic L. More precisely, a CP- 
DBMi is a tuple {((>, ^) representing a set R^,,^ s.t. : 

As introduced in fZ], CPDBM correspond to CP-DBMl 
where L is the first-order arithmetic without quantifiers ; 
in particular, multiplication is allowed in this formalism. 
In this section, we study another variation of DBM : 
CP-DBM+, which is CP-DBMl where L is the decidable 
Presburger logic FO(Z,+,<). That is, CP-DBM+ are 
CPDBM with quantifiers but without multiplication. We 
denote by IJ CP-DBM+ the finite unions of i?^,^, i.e. finite 
unions of CP-DBM+ sets. 

We show that finite unions of CP-DBM+ sets are in fact 
a combination of Presburger-definable sets and finite unions 
of DBM decimal sets : 

Proposition 8. We have [j CP -DBM + = TO (Z, +, <) W 

Proof. Let us first prove the inclusion D. Let us consider 
a DBM (c, ^) denoting a set D C D" and a Presburger 



formula V'(x) denoting a set Z C Z" and let us prove that 
Z + D is a U CP-DBM+ set. Observe that r € Z + D 
if and only if there exists z G Z such that r — z G D. 
The condition r — z G -D is equivalent to Ao<i j<n ' « ~ 
rj -<ij Qj+^i — Zj. Let us consider the Presburger formula 
4'{p) ■= 3z G Z" Pij = Cij -\- Zi — Zj and observe that 
Rjf,.^ = Z + D. We have proved the inclusion D. 

For the converse inclusion, let us consider a CP-DBM+ 
set Let Zd = Z" n (i?^,^ - d) indexed by d G D". 

Observe that Zd is actually the following set of vectors : 

= IJ < z G Z"| /\ - Zj -<,j c,,j + {dj - di) 

c\—4> I 0<i,j<n J 

Since dj — G ] — 1 , 1 [ and Zi — Zj , q ^ G Z we deduce that 
Zi — Zj a.j + {dj — di) is equivalent to Zi — Zj < aj 
if di — dj -<i,j and it is equivalent to Zi — Zj < a.j — 1 
otherwise. Given a matrix m = j)o<i.j<n such that 
niij G {0, 1} for any < i,j < n, we denote by /m and 
Dm the following sets: 

= {z e Z" I 3c 0(c) A /\ z^- Zj < a J - rriij} 
Dm^{de D" I /\ {d^- dj -<,j ^ m,;j = 0)} 

0<i,j<n 

Note that is a DBM set and Zd = I„i for any d G -Dm- 
From [j^ Dm = D" we deduce that R^^^ = Udeo" + 
{d} = [J^ /m + Dm- We have proved that is defin- 
able in FO (Z, +,<) W IJ DBMd. □ 

4 Beyond Presburger 

We have just shown our decomposition to be working on 
FO (R, Z, +, <) and below. Now, we prove that it can also 
be used on more expressive logics. We take the example of 
Real Vector Automata (RVA) fW^, which is, to the best of 
our knowledge, the most expressive decidable implemented 
representation for sets of real and integer vectors. RVA are 
used in the tool LASH lfT4l[T5]| . In this section, the class of 
sets representable by RVA is proved decomposable into our 
formalism. 

Let b > 2 be an integer called the basis of decomposition. 
We denote byl]f, = {0,...,6— 1} the finite set of digits and 
by Sb = {0, 6—1} the set of sign digits. An infinite word 
a = sai . . . ak*aLk+iak+2 ■ ■ ■ over the alphabet U{*} is 
said b-correct if s G 5^ and G SJ^ fo^" ™y * > 1- In this 
case, cr is called a most significant digit first decomposition 
of the following real vector pb{(T) G R": 
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A Real Vector Automaton (RVA) in basis 6 is a Biichi au- 
tomaton A over the alphabet Ej^ U {★} such that the lan- 
guage Lan(yl) recognized by A contains only fo-correct 
words. The set [A] represented by A is defined by |A] = 
{pbW) I e Lan(A)}. A set i? C R" is said b- 
recognizable if there exists a RVA A in basis h such that 
R^lAl 

According to fTSl, the class of 6-recognizable sets can be 
logically characterized by FO (R, Z, +, <, Xh) where Xi, is 
an additional predicate. The predicate Xi, over IR-^ is such 
that Xf,(x, u, a) is true if and only if there exists a most sig- 
nificant digit first decomposition a — sai . . .Uk * ak+i ■ ■ ■ 
of X and an integer i G N such that a,; — a and u = b^~^. 

Theorem 9. ^761/ A set R C R" w b- recognizable if and 
only if it is definable in FO (R, Z, +, <, Xf,). 

In order to provide a decompostion of 
FO (R, Z, +, <, Xf,), the predicate Xjj is proved expressible 
by two valuation functions Vf, and Wb where : 

• Vf, : Z\{0} ^ Z is the integer valuation function in- 
troduced in |fT9l and defined by Vb{z) = V , where 
j G Z is the greatest integer such that b^^ z E Z. 

• Wb : ID\{0} D is the decimal valuation function de- 
fined by Wb{d) = V , where j G Z is the least integer 
such that b^^d ^ D. 

By expressing Xb in FO {R,Z, +, <,Vb,Wb) 
and Vb,Wb in FO (R, Z, +, <, X;,) we deduce that 
FO(R,Z,+,<,Xb) = FO(R,Z,+,<,V6,W^fc). Finally, 
from proposition |6] and theorem |7] we get the following 
proposition. 

Proposition 10. FO{R,Z,+,<,Xb) = 
FO (Z, +, <, Vb) W FO (D, +, <, Wb). 

Moreover, it is cleai" that the logic FO (Z, +, <, Vb) W 
FO (J), +,<,Wb) extends FO(Z,+,<) W FO (D, +, <). 
However, even if the function Wb is crucial to logically 
characterize the class of ^-recognizable sets, this predicate 
is not used in practice. In fact, in order to get efficient al- 
gorithms for manipulating Biichi automata (more precisely, 
minimization and determinization), we only consider sets 
i? C R" that can be represented by a weak RVA 1l14]. Re- 
call that a Biichi automaton A is said weak if any strongly 
connected component S satisfies S C For5ni^ — 0, 
where F is the set of accepting states. Unfortunately, the 
class of sets R C R" representable by a weak RVA is 
not logically characterized since this class is not stable by 
first order operations (because of projection). In practice, 
since any set R C R" definable in FO (R, Z, + , <, Vb) can 
be represented by a weak RVA, the RVA symbolic repre- 
sentation is only used for representing sets in this logic 



(i.e. without Wb). Just remark that FO (R, Z, +, <, Vb) = 
FO (Z, +, <, Vb) tt) FO (D, +, <). Finally, note that weak 
RVA are used in the tool LIRA |8|, whose benchmarks 
show very efficient computation times for sets defined in 
FO(R,Z,+,<). 

5 Towards an implementation 

From an implementation perspective, our decomposition 
has been designed to fit Genepi's requirements. Genepi 
1261 is a modular framework supporting Presburger-based 
solvers and model-checkers, distributed under GNU Public 
License. Its core consists of a plugin manager, which 
computes generic operations (such as boolean opera- 
tions, quantification, satisfiability) on sets encoded as the 
solutions of Presburger-like formulas. Different imple- 
mentations of these operations can be used as plugins ; 
existing ones include PresTAF, LIRA, LASH, MONA, 
OMEGA, and PPL. We have begun to design a plugin for 
our decomposition, which uses two existing plugins : one 
for the integer part, and one for the decimal part. 

Once this plugin is ready, any combination of two other 
plugins is possible : for example, one could try PresTAF 
over integers and PPL over decimals. One could even 
be curious and study the efficiency of two instances of 
LIRA plugins, each one working on its own part (integer 
or decimal). Another benefit, coming from the new decom- 
position of RVA, would be to use the LASH plugin only 
on one part, and manage the other one differently : this 
might improve the effectiveness of RVA, which are very 
expressive but not really efficient in practice. So far, our 
first tests on small conjunctions of linear constraints show 
execution times close to the ones of LIRA. 

What we need now for an implementation is a unique 
way to represent sets. Indeed, in order to avoid unduly 
complicated representations of sets, we have to make 
our representation canonical. Therefore, let us set the 
theoretical framework we use in practice. 

Let 3 C P(Z") and D C P(D"). Notice that if i? = 
{Z + Di)U{Z + D2),thenR = Z + DwithD = D1UD2 ; 
we will always suppose that T) is closed under union wlog. 
Then, notice that R C R" can be represented by a partially 
defined function //? such that : 

/i? : 3 ^ 3 

This function's interpretation is defined as 

p 

[/fll = U(^' + ^«(^»))' "^^"^^^ matches the natu- 

1=1 
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ral writing of R introduced in section 12.31 Note that this 
representation /b. is not unique. 

For technical reasons, we extend fji to a totally de- 
fined function fu s.t. fniZ) = if Z ^ dom(/_R,) and 
fniZ) ~ Ib{Z) otherwise. Moreover, we define the 
support of as SU^^Qr) = {Z \ J^{Z) ^ 0}. In the 
remainder of this paper, we will use without ambiguity the 
notation fn instead of 

We are now able to represent the set R with a function 
we wish to handle. Therefore, we want to identify and 
JZ/jJ : in order to do so, this latter interpretation has to be 
an injection. Generally, this is not the case : using the pre- 
vious definitions, we could have different writings of f/^j] . 
However, if the images by fu are disjoint, then the interpre- 
tation Ifnl is an injection. Finally, for effectivity reasons, 
we will only consider functions whose support is finite. In 
the remainder of this section, we formalize this reasoning. 
LetT^^s = {/ : 3 — > ® | SUpp(/) is finite}. 

Definition 11. The interpretation function |.| associates 
to every f G -^3^® of real vectors defined by 

1/1= U {z + f{z)). 

zesupp(f) 

Notice that since supp(/) is finite, J^s^s do not suf- 
fice to represent every set of real vectors, as shown in the 
counter-example on pageH) Let us now restrict ourselves to 
the functions we handle : 

Definition 12. An IDF (Integer-Decimal Function) is a 

function f G ^3^® such that [J^ fiZ) = D" and such 
that Z ^ Z' =^ f{Z) n f{Z') = 0. We denote them all 
by IDF^^'s = {/ G J-'i^'s I / is an IDF]. We also write 
lIDF^^^l^ {m \ f e IDF^^^}. 

The sets from examples[Tl|2][3]|4]are represented by the 
following IDF : 

Example 13. The empty set is represented by the IDF /x 
defined by f±{Z) = 9 for any Z ^ 9 and by /j. (0) = D". 
The set R" is represented by the IDF /y ( also noted f\Rn ) 
defined by /t(Z") = D" and /t(^) = otherwise. The 
set Z" is represented by the IDF fz" defined by /z" (Z") = 
{0} and fz^ (Z) = otherwise. 

Example 14. The set R= = {r e R"^ \ ri = r2} is 
represented by the IDF defined by f={Z^) = D=, 
/=(0) = D^\D^ and f={Z) = >!) otherwise, where: 

Z= = {zeZ^\zi = Z2} £>= = {d G I di = da} 

Example 15. The set i?< = {r G | ri < ra} is 

represented by the IDF /< defined by f<{Z^) = _D>, 



/<(Z<) = Z3< and f<c{Z) = $ otherwise where: 

Z< = {z G Z^ I zi < Z2} Z3> = {d G I di > da} 

Z< = {z G I zi < za} £>< = {d G I di < da} 

Example 16. The set i?+ = {r G | ri + ra = r^} 
is represented by the IDF /+ defined by f+{Zo) = Dq, 
f+{Zi) = Di, /+(0) = D3\(7?i U D2) and f+{Z) = 
otherwise where (intuitively c G {0, 1} denotes a carry) : 

Zc = {zeZ^ \ZI+Z2 + C= Z3} 

Z^c = {d G I di + da = da + c} 

Observe that any set in lIDF-^^^^^J is in 3n WSn- The 
converse is obtained by proving the following proposition : 

Proposition 17 (Closure by union). Let R G 

IIDFj,^ Then, for any Z G 3n and D G we 

also have RU{Z + D) e lIDF^^^sJ- 

Proof We consider an IDF / : 3„ — > £>„ such that |/] = 
R and two sets Z G 3n and D G Dn- We must prove that 
there exists an IDF /' : 3„ — > D„ such that [[/'| = R' 
withi?' = RU{Z+D). We consider the following function: 

/': 3« S)„ 

z' ^ {f{z')\D) y {f{Z")nD) 

Z" I Z"uz=Z' 

As expected we are going to prove that /' is an IDF such 
that If'} = R'. We first show that /' is an IDF First of 
all observe that [j^, f'{Z') = D". Next, let Z[, Z'^ G 3n 
such that f'{Z[) n f'{Z^) ^ then either {f{Z[)\D) D 
{f{Z'2)\D) ^ or there exists Z'{, Z'^ such that Z'{\JZ ^ 
Z[ and Z'^iJZ = Z'^ and {f{Z'l) n D) n {f{Z'i) n Z?) 7^ 
since the other cases are not possible. But {f{Z[)\D) D 
{f{Z'^)\D) ^ implies f{z() n f{Z'^) ^ and since / is 
an IDF we get Z( = Z'^. Knd{f{Z'{)C^D)^{f{Z'^)^D) ^ 
implies Z'{ ~ Z2 and in particular Z[ — Z^. We have 
proved that /' is an IDF. Finally, equality \f'\ = R! comes 
from: 

m=\}{z' +r{z')) 

Z' 

=U((^' + (/(^')\^)) 

Z' 

y (z' + (/(z")ni?))) 

Z" I Z"\JZ=Z' 

= U(Z' + ifiZ')\D)) |J((Z" UZ) + {f{Z") n D)) 

Z' Z" 

= U(z" + ((/(z")\z?)u(/(z")ni?))) 

Z" 

u(z + z?n(U/(^"))) 

Z" 

= [/lU(Z + i^) 
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□ 

Hence, we have just proved the following proposition : 
Proposition 18. 3n W 2)„ = flDF^^^^sJ 

Let us prove that this new representation is canonical : 
Proposition 19. For any /i,/2 e IDF^^s, I/i] = 

[/2I ^ A = /2 . 

Proof. Consider Zi C Z" and let us prove that fi{Zi) C 
f2{Zi). Naturally, we can assume that fi{Zi) ^ since 
otherwise the inclusion is immediate. In this case, there 
exists d G fi{Zi). As {f2{Z))z forms a sharing of D", 
there exists Z2 such that d G f2{Z2)- Let us prove that 
Zi C Z2. We can assume that Zi 0. Let Zi G and 
observe that ri = zi + d G [/i] and from I/i] = [/2I 
we get ri G 1/2]- Thus, there exists Z2 such that ri G 
Z2 + /2(^2)- Since Z'^ C Z" and /2(Z^) C D" we get 
zi G ^2 and d G /2(-Z^2)- (/2(^))z forms a sharing 
of D" and d G /2(2'2) n /2(2'^) we get Z2 = Z^. In 
particular zi G Z2 and we have proved that Zi C Z2. The 
other inclusion Z2 C Zi is obtained symetrically. We have 
proved that Zi = Z2- Therefore, fi{Zi) C f2{Zi) for any 
Zi. By symmetry we deduce that fi{Z) = f2{Z) for any 
Z. Therefore /i = /2. □ 

Notice that in practice, this canonicity depends on how 
the sets in 3 and D are represented. Indeed, if any of these 
representations are not canonical, then we can not guarantee 
that an IDF^^^ will be canonical. 

6 Conclusion 

We have proposed a decomposition of three known 
classes into finite unions of sums of integers and decimals, 
providing a new characterization. This decomposition can 
be applied to other subsets of real vectors, and possibly 
yield an interest in the exploration of decidable subclasses 
of the full arithmetic. 

Our main goal is to use this representation of real vectors 
to verify infinite systems involving counters and clocks. 
Indeed, we wish to extend the abilities of the tool Fast 
to the reals, so that it can compute exact reachability 
sets using acceleration techniques. A first step in such 
an implementation is the framework Genepi, allowing 
to solve mixed integer and real constraints defined in 
first-order theories. Thus, our decomposition would allow 
working separately on integers and reals. 

Another advantage of our decomposition is that we 
can now compute operations that we did not know how to 
perform on certain logics. For example, there is currently 



no algorithm computing directly the convex hull of a set 
defined in FO (R, Z, +, <) ; but thanks to our decomposi- 
tion, the problem reduces to the computation of the convex 
hull of Presburger-definable sets (as automata |19| or as 
semi-linear sets f23 |), and the convex hull of sets definable 
in FO(D,+,<) (as finite unions of convex sets, using 
Fourier-Motzkin). We can push this reasoning to other 
symbolic representations and to other operations, such as 
upward or downward closure. 

Globally, this method of separating integers and reals 
would speed up the software development process, because 
of the ease of using already existing plugins. As mentioned 
above, one can test the combination of any pair of plugins 
(provided there's at least one working on reals and another 
one on integers). Furthermore, a very interesting point is 
that a programmer can test his new plugin for real sets 
directly in Genepi, and then extend its expressivity by 
coupling it with PresTAF or another plugin handling 
integer sets. Obviously, the converse (extending an in- 
teger plugin to the reals) is also possible in the same fashion. 
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